CVE-2020-1893
Summary
| CVE | CVE-2020-1893 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-03-03 15:15:00 UTC |
| Updated | 2020-03-05 20:36:00 UTC |
| Description | Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7. |
Risk And Classification
Problem Types: CWE-125
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Hhvm | All | All | All | All | |
| Application | Hhvm | 4.39.0 | All | All | All | |
| Application | Hhvm | 4.40.0 | All | All | All | |
| Application | Hhvm | 4.41.0 | All | All | All | |
| Application | Hhvm | 4.42.0 | All | All | All | |
| Application | Hhvm | 4.43.0 | All | All | All | |
| Application | Hhvm | 4.44.0 | All | All | All | |
| Application | Hhvm | 4.45.0 | All | All | All | |
| Application | Hhvm | All | All | All | All | |
| Application | Hhvm | 4.39.0 | All | All | All | |
| Application | Hhvm | 4.40.0 | All | All | All | |
| Application | Hhvm | 4.41.0 | All | All | All | |
| Application | Hhvm | 4.42.0 | All | All | All | |
| Application | Hhvm | 4.43.0 | All | All | All | |
| Application | Hhvm | 4.44.0 | All | All | All | |
| Application | Hhvm | 4.45.0 | All | All | All | |
| Application | Hhvm | All | All | All | All | |
| Application | Hhvm | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Security Update | HHVM | CONFIRM | hhvm.com | Vendor Advisory |
| Fix a buffer-overrun in SimpleParser · facebook/hhvm@bd58667 · GitHub | CONFIRM | github.com | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.